... to include a fix for
https://github.com/advisories/GHSA-c2h3-6mxw-7mvq .
(Note that Skopeo doesn't depend on the vulnerable code,
so this is primarily to avoid dependency checker warnings.)
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
We currently need it to drag in recent versions of other dependencies,
per https://github.com/containers/skopeo/issues/796 .
I'll work to update the relevant dependencies in c/image, but that will
only propagate to skopeo in the next c/image release; in the meantime,
this at least undoes the downgrades.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Temporarily vendor opencontainers/image-spec from a fork
to fix "id" value duplication, which is detected and
refused by gojsonschema now
( https://github.com/opencontainers/image-spec/pull/750 ).
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Required to update those dependencies in containers/image.
See https://github.com/containers/image/pull/446.
Updated by mitr@redhat.com to vendor from containers/image master again,
which brought in a few more dependency updates.
Signed-off-by: Max Goltzsche <max.goltzsche@gmail.com>
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Anyone running (vndr) currently ends up with failing tests in OCI schema
validation because gojsonschema has fixed its "$ref" interpretation, exposing
inconsistent URI usage inside image-spec/schema.
So, this runs (vndr), and uses mtrmac/image-spec:id-based-loader
( https://github.com/opencontainers/image-spec/pull/739 ) to make the tests pass
again. As soon as that PR is merged we should revert to using the upstream
image-spec repo again.
containers/storage got new dependencies, so we will need to re-vendor
eventually anyway, and having this separate from other major work is
cleaner.
But the primary goal of this commit is to see whether it makes skopeo
buildable on OS X.
Primarily vendor after merging mtrmac/image:openpgp.
Then update for the SigningMechanism API change.
Also skip signing tests if the GPG mechanism does not support signing.
Also abort some of the tests early instead of trying to use invalid (or
nil) values.
The current master of image-tools does not build with Go 1.6, so keep
using an older release.
Also requires adding a few more dependencies of our updated
dependencies.
